CVE-2016-7392 Autotrace Project CVE debrief

Who should care

Administrators and developers who run or embed AutoTrace 0.31.1, especially in workflows that accept BMP images from untrusted sources, should review exposure and replace or isolate the affected component.

Technical summary

The NVD record identifies a heap-based buffer overflow in pstoedit_suffix_table_init within output-pstoedit.c in AutoTrace 0.31.1. The vulnerable path is reached through a crafted BMP image file. The weakness is classified as CWE-787 (out-of-bounds write). NVD rates the issue CVSS 3.0 5.5 with AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Defensive priority

Medium. The main impact is availability loss through process crash or denial of service, with user interaction required according to the CVSS vector.

Recommended defensive actions

• Identify whether AutoTrace 0.31.1 is installed or embedded in your environment.
• Update to a fixed release if one is available from the project or your package vendor.
• Avoid processing untrusted BMP files with affected builds until remediation is in place.
• Use sandboxing, least privilege, or process isolation for image conversion workflows.
• Monitor for crashes or abnormal termination in AutoTrace-based conversion jobs.

Evidence notes

Supported by the NVD CVE record and referenced advisories. The CVE description states a heap-based buffer overflow in pstoedit_suffix_table_init in output-pstoedit.c affecting AutoTrace 0.31.1 and triggered by a crafted BMP image file. The NVD record also provides the CVSS vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and CWE-787 classification. References include oss-security posts, a Gentoo advisory, SecurityFocus, and Red Hat bug tracking.

Official resources